Threat Intelligence - RH-ISAC Blog

Context On August 4, 2022, Cisco Talos Intelligence researchers reported new technical details of a tool called “Dark Utilities” that provides a full suite of command-and-control (C2) capabilities for threat actors. The tool, which was released in early 2022, is advertised by creators as enabling remote access, command execution, distributed denial-of-service (DDoS) attacks, and cryptomining…

Context On August 3, 2022, ZScaler researchers reported the technical details of an adversary in the middle (AiTM) campaign active since at least June 2022. The RH-ISAC team believes, based on timing and nearly identical tactics, techniques, and procedures (TTPs), that this campaign is likely connected to highly similar activity previously reported by Microsoft. Key…

Context On June 7, 2022, researchers at Zimperium reported technical details of an adware campaign targeting Russian gaming, social media, and ecommerce site users. The campaign uses more than 350 variations of malicious browser extensions using the Google Translate extension ID to trick victims into downloading the malicious files. Researchers named the extension group “ABCsoup.”…

Context On June 28, 2022, ReversingLABS researchers reported a phishing campaign using malicious Microsoft Office files to distribute the new 2.0 version of the AstraLocker ransomware. Researchers assess that the threat actors behind the campaign likely obtained the AstraLocker 2.0 code from the Babuk leak in September of 2021, based on shared code and campaign…

Context On June 28, 2022, Palo Alto Unit 42 researchers reported technical details and a proof of concept (PoC) exploit code for CVE-2022-30137, which they have designated FabricScape. CVE-2022-30137 is rated at 6.7 or medium severity, and affects Microsoft Service Fabric. Service Fabric is commonly used with Azure and hosts over one million applications daily. Microsoft released a patch…

Summary The Common Weakness Enumeration (CEV) organization has released their 2022 Top 25 Most Dangerous Software Weaknesses list. This list demonstrates the most common and impactful software weaknesses occurring during the year of 2022. To create the list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability…

Context On June 9, 2022, SentinelLabs disclosed technical details of a new Chinese-speaking cyberespionage group designated Aoqin Dragon. According to researchers at SentinelLabs, the group has been operating a cyberespionage campaign against government, education, and telecommunication organizations in Southeast Asia and Australia from at least 2013 to the present. SentinelLabs researchers also assessed with moderate…

Context On the evening of June 7, 2022, the United States National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) released a joint advisory detailing the tactics, techniques, and procedures (TTPs) used by unspecified Chinese state-backed threat actors to target unspecified telecommunication and network service organizations…

Context On June 1, 2022, the United States Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), the Treasury Department, and the Financial Crimes Enforcement Network released a joint advisory with technical details and indicators of compromise for the Karakurt data extortion group. Karakurt is an advanced persistent threat (APT) group focused…

Context Microsoft has shared mitigation measures, which are included below, to block attacks exploiting the flaw, designated CVE-2022-30190, while a patch is being developed. Microsoft‘s entry for CVE-2022-30190 indicates it affects MSDT on all versions of Windows and Windows Server and has detected exploitation in the wild. The remote code execution vulnerability exists when Microsoft Support Diagnostic Tool (MSDT) is called using the…